The lawful basis for processing data is really your starting point. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
With existing customers, businesses often get confused. So, if you have customers, you will probably have a contract, hence you do not need to get consent to deal with them! Or you may have Legitimate Interest to hold peoples’s personal data. For marketing however you can deal with them on the basis of consent. Your prospects or the market you sell to for example a mailing list, you will need to obtain consent from. Any old data, get rid of if it, or get it updated. You can do this by email, letter or even orally. But you need proof, including a date.
The starting point of a privacy notice should be to tell people:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
These are the basics upon which all privacy notices should be built. However, they can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair. A privacy notice in most cases is a website privacy notice, for an example visit the ICO Privacy Notice. But they may be required on various documents, online and paper such as for parking, ticketing, rent and so on.
Data Compliance Officer (DCO)
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer. The ICO website will tell you more. Your DCO needs to make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Peter Eales BA Hons Chartered Marketer FCIM FIDM
Founder Director Dorset Business Angels
MD o i solutions limited